I have prepared it. Well, the following is my note. For details, enter the author name: wingger. In this article, we will test the certificate on Linux9 + apache2.0.52, tomcat5.5.6, j2se1.5, and openssl0.97. The purpose of this article is to communicate. If any errors occur, please advise. Reprinted, please indicate the source, and maintain the integrity of the article Start installation now First, you need to understand some basic concepts before installing 1. Certificates used by SSL can be self-generated or signed by a commercial ca such as Verisign or thawte. 2. Certificate concept: First, you must have a root certificate, and then use the root certificate to issue the server certificate and customer certificate. Generally, the server certificate and customer certificate are in a hierarchical relationship. The root certificate and server certificate must be installed in SSL for authentication. Therefore, in this environment, you must have at least three certificates: Root Certificate, server certificate, and client certificate. Before a certificate is generated, a private key is usually used to generate a certificate request with the private key, and then use the root certificate of the Certificate Server to issue the certificate. 3. certificate issuance problem: I recently found a lot of information about OpenSSL, basically only generate the root certificate and private key and server certificate requests, and did not actually implement the visa. I refer to some documents here. I use a ca. Sh provided by OpenSSL to sign the certificate, rather than sign. Sh in mod_ssl. Using the OpenSSL syntax to generate a certificate has many restrictions, such as the Directory and key location. It is troublesome. I tried it for several days and finally gave up. If you are interested, refer to the OpenSSL manual. Step 1: Install OpenSSL and Apache Download openssl-0.9.7e.tar.gz (the latest version) to www.openssl.org) 2. Uninstall the old opensll Library
- # Rpm-e -- nodeps OpenSSL
Copy code 3. decompress the package:
- # Tar xzvf openssl-0.9.7e.tar.gz
Copy code 4. Enter the OpenSSL directory and install it. Use -- prefix to specify the OpenSSL installation directory.
- # Cd openssl-0.9.7e
- #./Config -- prefix =/usr/local/OpenSSL
- # Make
- # Make Test
- # Make install
Copy code 5. install Apache Download httpd-2.0.52.tar.gz, the latest apacheversion, to www.apache.org/dist. Decompress the package and go to the Apache directory. Install the required modules as needed. I have installed SSL, rewrite, and dynamic installation.
- # Tar zxvf httpd-2.0.52.tar.gz
- # Cd httpd-2.0.52
- #./Configure -- prefix = prefix -- enable-SSL -- enable-Rewrite -- enable-so -- With-SSL =/usr/local/OpenSSL
- # Make
- # Make install
Copy code Step 2: visa After OpenSSL is installed, there is a ca. Sh file under OpenSSL, which is used for visa, To sign three certificates, and then use these three certificates to deploy the SSL server. 1. Create an SSL under/usr/local/Apache/CONF. CRT directory, set ca. copy the sh file to/usr/local/Apache/CONF/SSL. CRT/directory
- [Root @ win SSL] # cp/usr/local/OpenSSL/SSL/MISC/CA. sh/usr/local/Apache/CONF/SSL. CRT/CA. Sh
Copy code 2. Run ca. Sh-newca. It will find a private key and password file of the CA you want. If this file does not exist? Press enter to automatically create the file. Enter the password to protect the file. In the future, you will need a company information to make the ca. CRT file. At last, an additional one is added to the current directory. /democa directory .. /democa/private/cakey. PEM is the key file of CA ,. /democa/cacert. PEM is the CRT file of CA.
- [Root @ win SSL. CRT] #./CA. Sh-newca
Copy code Enter the following information: Quote: Country name (2 letter code) [GB]: CN State or province name (full name) [Berkshire]: Fuji Locality name (eg, city) [Newbury]: Fuzhou Organization Name (eg, company) [My Company Ltd]: fjjm Organizational unit name (eg, section) []: FD Common name (eg, your name or your server's hostname) []: Win Email Address []: WIN@WIN.COM In this way, a CA server is created, with the private key cakey. pem of the root certificate and a root certificate cacert. pem. Now you can get the cacert. pem for your visa. 3. Sign the server certificate Generate the server private key:
- [Root @ win SSL. CRT] # OpenSSL genrsa-des3-out server. Key 1024
Copy code Generate server certificate request
- [Root @ win SSL. CRT] # OpenSSL req-New-key server. Key-out server. CSR
Copy code REQUIRED INFORMATION
- Country name (2 letter code) [GB]: CN
- State or province name (full name) [Berkshire]: Fuji
- Locality name (eg, city) [Newbury]: Fuzhou
- Organization Name (eg, company) [My Company Ltd]: fjjm
- Organizational unit name (eg, section) []: FD
- Common name (eg, your name or your server's hostname) []: Win
- Email Address []: WIN@WIN.COM
- Please enter the following 'extra 'attributes
- To be sent with your certificate request
- A challenge password []: Win
- An optional company name []: Wing
Copy code Finally, convert the server. CRT file MV into newreq. Pem, and then use ca. Sh for a visa.
- [Root @ win SSL. CRT] # mv server. CSR newreq. pem
- [Root @ win SSL. CRT] #./CA. Sh-sign
Copy code In this way, the server certificate newcert. PEM is generated. Change newcert. pem to server. CRT.
- [Root @ win SSL. CRT] # mv newcert. pem server. CRT
Copy code 4. process the client: Generate customer private key:
- [Root @ win SSL. CRT] # OpenSSL genrsa-des3-out client. Key 1024
Copy code Request
- [Root @ win SSL. CRT] # OpenSSL req-New-key client. Key-out client. CSR
Copy code Visa:
- [Root @ win SSL. CRT] # OpenSSL ca-in client. CSR-out client. CRT
Copy code Convert certificate format to PKCS12 format
- [Root @ win SSL. CRT] # OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. pfx
Copy code 5. Three certificates and three private keys are available. One is the root certificate under democa, the server certificate under SSL. CRT, and the client certificate. And the root key under democa/private, the server key and customer key under SSL. CRT, and the certificate location and server key location under SSL. conf under Conf. I created an SSL. CRT directory under conf and put all the keys and certificates here.
- # Cp democa/cacert. pem cacert. pem
Copy code Copy a certificate and rename it ca. CRT.
- # Cp cacert. pem ca. CRT
Copy code Step 3. Edit SSL. conf
- # Cd/usr/local/Apache/Conf
Copy code Edit SSL. conf
- Specify the server certificate location
- Sslcertificatefile/usr/local/Apache/CONF/SSL. CRT/server. CRT
- Specify the server certificate Key location
- Sslcertificatekeyfile/usr/local/Apache/CONF/SSL. CRT/server. Key
- Certificate directory
- Sslcacertificatepath/usr/local/Apache/CONF/SSL. CRT
- Root Certificate location
- Sslcacertificatefile/usr/local/Apache/CONF/SSL. CRT/cacert. pem
- Enable client SSL requests
- Sslverifyclient require
- Sslverifydepth 1
Copy code Start SSL
- /Usr/local/Apache/bin/apachectl startssl
Copy code The password of server. Key is required. So that a default SSL server and HTTP server are started, Step 4. install and use the certificate Run the ca. CRT root certificate and client. pfx client certificate generated just now to the client and install the client, CA. CRT is installed to a trusted organization. Client. pfx is installed directly in Windows or in the personal certificate location, and then accessed by IP address http and HTTPS servers. |